GSA_kwCzR0hTQS1nZjkzLXhjY20tNWc2as4ABOMs

High CVSS: 8.7 EPSS: 0.00031% (0.0782 Percentile) EPSS:

Permalink JSON

MARIN3R: Cross-Namespace Vulnerability in the Operator

Affected Packages	Affected Versions	Fixed Versions
go:github.com/3scale-sre/marin3r PURL: `pkg:go/github.com%2F3scale-sre%2Fmarin3r`	<= 0.13.3	0.13.4
0 Dependent packages 0 Dependent repositories Affected Version Ranges All affected versions v0.1.0, v0.1.1, v0.1.2, v0.1.3, v0.1.4, v0.2.0, v0.4.0-alpha2, v0.4.1, v0.4.2, v0.5.0, v0.5.1, v0.5.2, v0.6.0, v0.7.0, v0.7.0-alpha1, v0.7.0-alpha2, v0.7.0-alpha3, v0.7.0-alpha4, v0.7.0-alpha5, v0.7.0-alpha6, v0.7.0-alpha7, v0.7.0-alpha8, v0.8.0, v0.9.0, v0.9.1, v0.10.0, v0.11.0, v0.11.1, v0.12.0, v0.12.1, v0.12.2, v0.12.3, v0.13.0, v0.13.1, v0.13.2, v0.13.3 All unaffected versions

Summary

Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate
allows users to bypass RBAC and access Secrets in unauthorized namespaces.

Affected Versions

All versions prior to v0.13.4

Patched Versions

v0.13.4 and later

Impact

Users with permission to create DiscoveryServiceCertificate resources in one
namespace can indirectly read Secrets from other namespaces, completely
bypassing Kubernetes RBAC security boundaries.

Workarounds

Restrict DiscoveryServiceCertificate create permissions to cluster administrators
only until patched version is deployed.

Credit

Thanks to @debuggerchen for the responsible disclosure.

References:

Identifiers

GHSA-gf93-xccm-5g6j

CVE-2025-64171

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00031

EPSS Percentile: 0.0782

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/3scale-sre/marin3r

Date and time

Published

12 days ago

Updated

4 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories